Frequently Asked Questions

1.  

What is this fingerprint I see when first connecting to the management server?

2.  

What happened to the Apply gateway rules to interface direction property?

3.  

How are the rules in the Security Policy applied to incoming data?

4.  

VPN-1/FW-1 just looks like an application running on my server; how does it protect the underlying OS from attack?

5.  

How does the Inspection Engine handle fragmented packets?

6.  

Can I get a copy of VPN-1/FW-1 for evaluation?

1.  

In order to verify that you are connecting to the intended management station (rather than an imposter), FW-1 uses a fingerprint phrase. To ensure that secure communication between the GUI client and management server is set up properly, be sure that you have the server s fingerprint to verify before initiating the first connection to a new server. If you choose to cancel and not accept the fingerprint, your authentication credentials will not be sent.

2.  

In previous versions of FW-1 you could specify, in the policy properties, the data direction (inbound, outbound, or eitherbound) in which the security policy would be applied on the firewall s interfaces. In VPN-1/FW-1 NG, Check Point has removed this option and the security policy rules are now applied both inbound and outbound (also known as eitherbound) on all interfaces. Aside from not being needed in the new version of the Inspection Engine, removing this option is likely for the best, since few people actually understood how it worked or why it was needed.

3.  

The Security Policy rules are applied from top to bottom. Data for which no rule applies will be dropped after falling to the bottom of the Security Policy. Data dropped in this fashion is not logged, which is why a drop all rule is used with source: any, destination: any, service: any and track set to log is normally written at the bottom of the rule base.

4.  

The FW-1 Inspection Engine is inserted into the OSs kernel just above layer two of the OSI model. Since Layer two is actually the firewall s NIC driver, this means that data must pass through the firewall Security Policy before being allowed to move onto the OSs IP stack. Therefore, the underlying OS is never exposed to raw, unfiltered network data.

5.  

When you look at fragmented packets individually, most of the information needed to make a control decision is in the first packet. However, FW-1 needs the entire assembled packet for a couple of reasons. First, the data section of the packet is most likely to be fragmented since it is at the end of the packet and is the largest section. Depending on the rules in your policy, this data may need to be inspected in its entirety to make a control decision. Second, the second and subsequent fragments only contain the remainder of the original packet (usually the data portion), not another copy of the full packet headers, which may also be needed to make the control decision. Without reassembling the packet, it may not be possible to apply it to the security policy, since information about source and destination ports would be missing. To get around this, FW-1 will completely reassemble a packet before applying it to the Security Policy. To prevent a Denial of Service (DoS) attack caused by a high volume of incomplete packet fragments, a timer is used when the first fragment arrives. If the timer expires before the complete packet is reassembled, the fragments are discarded. Once a packet is reassembled and a control decision is made to pass the packet on, the original fragments are released in the same fragmented condition and order as they arrived in, to the destination. The behavior of whether to allow fragmented packets and the timer are both configurable now in SmartDefense.

6.  

To request an evaluation package with the software, documentation, and licenses required to fully test VPN-1/FW-1 in your network, head to www.checkpoint.com/getsecure.html.